You get an Aadhaar! You get an Aadhaar! Everybody gets an Aadhaar!

On 26 September 2018, the Supreme Court of India handed down a landmark ruling on the constitutionality of the biggest biometric identity system in the world, India’s Aadhaar system.

The Aadhaar was implemented in 2016, and has since acquired a billion registered users. It’s a 12-digit number issued to each resident of India, linked to biometrics including all ten fingerprints, facial photo and iris scans, and basic demographic data, all held in a central database. Since being implemented, it’s been turned to a variety of uses, including everything from proof of identification, tracking of government employee attendance, ration distribution and fraud reduction, entitlements for subsidies, and distribution of welfare benefits. The Aadhaar has quickly become mandatory for access to essential services such as bank accounts, mobile phone SIMs and passports.

Beyond banks and telcos, other private companies have also been eager to use to the Aadhaar, spurring concerns about private sector access to the database.

In 2012, a series of challenges were levelled at the Aadhaar, including that the Aadhaar violated constitutionally protected privacy rights.

In a mammoth 1448 page judgement, the Court made several key rulings:

  • The Court ruled that the Aadhaar system does not in itself violate the fundamental right to privacy. However, the Court specifically called out a need for a ‘robust data protection framework’ to ensure pricy rights are protected.
  • However, the Aadhaar cannot be mandatory for some purposes, including access to mobile phone services and bank accounts, as well as access to some government services, particularly education. Aadhaar-authentication will still be required for tax administration (this resolves some uncertainty from a previous ruling).
  • The private sector cannot demand that an Aadhaar be provided, and private usage of the Aadhaar database is unconstitutional unless expressly authorised by law.
  • The Court also specified that law enforcement access to Aadhaar data will require judicial approval, and any national security-based requests will require consultation with High Court justices (i.e., the highest court in the relevant Indian state).
  • Indian citizens must be able to file complaints regarding data breaches involving the Aadhaar; prior to this judgment, the ability to file complaints regarding violations of the Aadhaar Act was limited to the government authority administering the Aadhaar system, the Unique ID Authority of India.

The Aadhaar will continue to be required for many essential government services, including welfare benefits and ration distribution – s7 of the Aadhaar Act makes Aadhaar-based authentication a pre-condition for accessing “subsidy, benefits or services” by the government. This has been one of the key concerns of Aadhaar opponents – that access to essential government services shouldn’t be dependant on Aadhaar verification. There have been allegations that people have been denied rations due to ineffective implementation of Aadhaar verification, leading to deaths.

It’s also unclear whether information collected under provisions which have now been ruled as unconstitutional – for example, Aadhaar data collected by Indian banks and telcos – will need to be deleted.

As Australia moves towards linking siloed government databases and creating its own digital identity system, India’s experience with the Aadhaar offers many lessons. A digital identity system offers many potential benefits, but all technology is a double-edged sword. Obviously, Australia will need to ensure that any digital identity system is secure but, beyond that, that the Australian public trusts the system. To obtain that trust, Australian governments will need ensure the system and the uses of the digital identity are transparent and ethical – that the system will be used in the interests of the Australian public, in accordance with clear ethical frameworks. Those frameworks will need to be flexible enough to enable interfaces with the private sector to reap the full benefits of the system, but robust enough to ensure those uses are in the public interest. Law enforcement access to government databases remains a major concern for Australians, and will need to be addressed. It’s a tightrope, and it will need to be walked very carefully indeed.


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

GDPR is here

If the recent flurry of emails from organisations sending privacy policy updates didn’t tip you off, the new EU General Data Protection Regulation (GDPR) commences today.

Reading every one of those emails (something even those of us in the privacy world struggle with), might give you the impression that there’s a standard approach to GDPR compliance. But the truth is that how your organisation has (hopefully) prepared for GDPR, and how it will continue to improve its privacy practices, is highly variable.

We’ve covered the GDPR at length on this blog, and a collection of links to our various articles is at the bottom of this post– but first, we’d like to set out a few thoughts on what the GDPR’s commencement means in practice.

Remember the principles

If the GDPR applies to your organisation, you’ve presumably taken steps to prepare for the requirements that apply under the new privacy regime. Among these are new requirements relating to data breach notification, as well as new rights and freedoms for individuals whose personal data you may be processing.

One aspect of GDPR that has received plenty of attention is the new penalties, which can be up to 4% of an organisation’s annual turnover, or 20 million Euros (whichever is greater). Certainly, those numbers have been very effective in scaring plenty of people, and they may cause you to check once again whether your organisation fully meets the new requirements under the GDPR.

However, the reality isn’t quite so straightforward (or scary). Much of the GDPR is principles-based, meaning that there isn’t always a single way to comply with the law – you need to take account of your organisation’s circumstances and the types of personal data it processes to understand where you stand in relation to GDPR’s requirements.

Although we don’t expect EU supervisory authorities to provide an enforcement ‘grace period’, we’re also of the view that enforcement activities will ramp up gradually. The authorities understand that, for many organisations, GDPR compliance is a journey. Those organisations that can demonstrate they’ve taken every reasonable step to prepare for GDPR, and which have a plan for continuing to improve their privacy compliance and risk programs, will be far better placed than those that have done little or nothing to get ready for the new law.

If your organisation still has work to do to comply with the GDPR, or you want to continue improving your organisation’s compliance and risk program (and there is always more to do!), there is plenty of help available to help you navigate GDPR and understand how it applies to your organisation.

Our previous coverage of the GDPR

Tim compares Australia’s Privacy Act with the GDPR

Melanie spoke to Bloomberg about driving competitive advantage from GDPR compliance

Head to Head: the GDPR and the Australian Privacy Principles (Part 1 and Part 2)

A Lesson in Data Privacy: You Can’t Cram for GDPR

Facebook and Cambridge Analytica: Would the GDPR have helped?

5 things you need to know about GDPR’s Data Protection Officer requirement


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

5 things you need to know about GDPR’s Data Protection Officer requirement

This article was originally published in issue #83 of Privacy Unbound under the title ‘5 Questions about DPOs’. Privacy Unbound is the journal of the International Association of Privacy Professionals, Australia-New Zealand (iappANZ).

1. What is a ‘DPO’, anyway? What are they even supposed to do?

In a nutshell, the Data Protection Officer (DPO) is a senior advisor with oversight of how your organisation handles personal data.

Specifically, DPOs should be able to:

  • inform and advise your organisation and staff about their privacy compliance obligations (with respect to the GDPR and other data protection laws)
  • monitor privacy compliance, which includes managing internal data protection activities, advising on data protection impact assessments, training staff and conducting internal audits
  • act as a first point of contact for regulators and individuals whose data you are handling (such as users, customers, staff… etc.) (Art. 39(1)).

2. But we’re not based in Europe, so do we even need one?

Well, even if you aren’t required to have one, you should have one. If you’re processing, managing or storing personal data about EU residents, you’ll need to comply with the requirements of the GDPR – this is one of those requirements, whether you’re based in the EU or not.

Specifically, the GDPR requires that you appoint a DPO in certain circumstances (Art. 37(1)).

These include if you carry out ‘large scale’ systematic monitoring of individuals (such as online behavioural tracking).

You’ll also need to appoint a DPO if you carry out ‘large scale processing of personal data’, including:

  • ‘special categories of data’ as set out in article 9 – that is, personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric identifiers, health information, or information about person’s sex life or sexual orientation.
  • data relating to criminal convictions and offences (per Art. 10).

The Article 29 Working Party has stated[1] that ‘large scale’ processing could include, for example, a hospital processing its patient data, a bank processing transactions, the analysis of online behavioural advertising data, or a telco processing the data required to provide phone or internet services.

Even if you don’t fit into one of these categories, you can still appoint a DPO in the spirit of best practice, and to ensure that your company is leading from the top when it comes to privacy.

In this respect, New Zealand is already ahead of the game. Entities covered by the New Zealand Privacy Act are already required to have a privacy officer, and they largely fulfil the same functions as a DPO.[2] However, they’ll still need to meet the other DPO requirements; see below.

While Australia hasn’t made having a privacy officer an express requirement for the private sector, the Office of the Australian Information Commissioner recommends that companies appoint a senior privacy officer as part of an effective privacy management framework.[3]

Government agencies aren’t off the hook

Being Public Service will not save you. Public authorities that collect the information of EU residents are also required to have a DPO (Art. 37(1)).

It’s worth noting that Australian Government agencies will need to appoint privacy officers and senior privacy ‘champions’ under the Australian Government Agencies Privacy Code,[4] which comes into force on 1 July 2018. Agency Privacy Champions may also be able to serve as the DPO.

As New Zealand Government agencies already have privacy officers, the only question they must answer is whether their privacy officer meets the other DPO requirements; see below.

3. OK, fine. We get it. We need a DPO. Who should we appoint?

The DPO needs to be someone that reports to the ‘highest management level’ of your organisation; that is, Board-level or Senior Executive (Art. 38(3)).

They’ll need to be suitably qualified, including having expert knowledge of the relevant data protection laws and practices (Art. 37(5)).

The DPO also needs to be independent; they can’t be directed to carry out their work as DPO in a certain way, or be penalised or fired for doing it (Art 38(3)). You’ll also need to ensure they’re appropriately resourced to do the work (Art. 38(2)).

If you’re a large organisation with multiple corporate subsidiaries, you can appoint a single DPO as long as they are easily accessible by each company (Art. 37(3)).

You can appoint one of your current staff as DPO (Art 37(6)), as long as their other work doesn’t conflict with their DPO responsibilities (Art. 38(6)). This means that you can’t have a DPO that works on anything that the DPO might be required to advise or intervene on. That is, they can’t also have operational responsibility for data handling. This means you can’t, for example, appoint your Chief Security Officer as your DPO.

4. But that means we can’t appoint any of our current staff. We can’t take on any new hires right now. Can we outsource this?

Yes, you can appoint an external DPO (Art 37(6)), but whoever you contract will still need to meet all of the above requirements.

Some smaller companies might not have enough work to justify a full-time DPO; an outsourced part-time DPO might be a good option for these organisations.

It might also be hard to find qualified DPOs, at least in the short term; IAPP has estimated that there will be a need for 28,000 DPOs in the EU.[5] A lot of companies in Australia and New Zealand are already having trouble finding qualified privacy staff, so some companies might have to share.

5. This all seems like a lot of trouble. Can we just wing it?

I mean, sure. If you really want to. But under the GDPR, failure to meet the DPO obligations may attract an administrative fine of up to €10 million, or up to 2% of your annual global turnover (Article 83(4)). Previous regulatory action in the EU on privacy issues has also gained substantial media attention. Is it really worth the risk? Especially given that, in the long run, having robust privacy practices will help you keep your users and your customers safe – having an effective DPO may well save you money.

[1] http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf

[2] S23, Privacy Act 1993 (NZ); http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM297074.html

[3] https://www.oaic.gov.au/agencies-and-organisations/guides/privacy-management-framework

[4] https://www.oaic.gov.au/privacy-law/privacy-registers/privacy-codes/privacy-australian-government-agencies-governance-app-code-2017

[5] https://iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

In Privacy Awareness Week, will Australia follow the GDPR?

Last week, the headlines told us that the senate backs GDPR style laws in Australia.

But what does this really mean in terms of the government’s commitment to reviewing privacy in Australia?

This does not (necessarily) mean the law will be reviewed

In short, it means very little.  The senate’s support of senator Jordon Steele-John’s notice of motion calling on the Government to consider the impact of our current privacy laws on Australians and look to the GDPR as a potential model for privacy protections for Australians holds no commitment as the senate cannot commit the government to action.

What it does signify is something very big and that is, a shift in the willingness of the senate to stand behind the Greens’ position that Australian privacy laws must be scrutinised.  Just two months ago, senator Steele-John put forward a very similar notice of motion and it was shut down, as were a couple of other privacy related motions.

Why did this one pass? (What has changed)

There are a few likely reasons why this one passed.  Putting aside matters of semantics and the politics of calling on government to subject itself to tighter scrutiny, (which was the case in motions no 749 and no 786), there is one material reason why this motion passed.

In the last two months, consumers have started to wake up to something we privacy professionals have worried about for a while – and that legal compliance is not enough and can, in fact, be damaging if ethical behaviours and transparent practices are perceived to be lacking.

There has been an enormous groundswell in Australia over the last two months, with both Facebook Cambridge Analytica and Commonwealth Bank blitzing the press with actions they have taken – or not taken – which although arguably lawful, have not met public perceptions of fairness and ethics.  Put simply, community expectations have surpassed legal standards.

So, senator Steele-John had his day, and time will tell whether this will serve as a prompt for government to call for a review of Australian privacy law in view of the GDPR.

There are plenty of other reasons why GDPR compliance makes sense, but we’ll leave that to a future blog.

Happy Privacy Awareness Week!


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

Facebook and Cambridge Analytica: Would the GDPR have helped?

It’s a modern-day truism that when you use a “free” online service, you’re still paying – not with your money, but with your personal information. This is simply the reality for many of the services we’ve come to rely on in our daily lives, and for most it’s an acceptable (if sometimes creepy) bargain.

But what if you’re paying for online services not just with your own personal information, but with that of your friends and family? And what if the information you’re handing over is being shared with others who might use it for purposes you didn’t consider when you signed up – maybe for research purposes, maybe to advertise to you, or maybe even to influence the way you vote?

Last week it emerged that an organisation called Cambridge Analytica may have used personal information scraped from Facebook to carry out targeted political advertising. The information was obtained when Facebook users accessed a psychometric profiling app called thisisyourdigitallife – but the data that was collected wasn’t just about app users, it was also about their Facebook friends (more on that below).

It’s what we’re now seeing from consumers that’s interesting.  People are rightfully asking for an explanation. Whilst we seem to have been asleep at the wheel over the last few years, as data empires around the world have pushed the boundaries, the current Facebook debacle is leading us to ask questions about the value of these so-called “free” services, and where the lines should be drawn.  The next few weeks will be telling, in terms of whether this really is the “tipping point” as many media commentators are calling it, or just another blip, soon forgotten.

In any case, with only a few months until the EU General Data Protection Regulation (GDPR), comes into force, this blog post asks:  If GDPR was operational now, would consumers be better protected?

First, some background

There’s plenty of news coverage out there covering the details, so we’ll just provide a quick summary of what happened.

A UK-based firm called Global Science Research (GSR) published thisisyourdigitallife and used the app to gather data about its users. Because GSR claimed this data was to be used for academic purposes, Facebook policies at the time allowed it to also collect limited information about friends of app users. All up, this meant that GSR collected the personal information of more than 50 million people – many more than the 270,000 people who used the app.

GSR then used the personal information to create psychometric profiles of the included individuals, apparently without their informed consent. These profiles were then allegedly passed on to Cambridge Analytica (possibly in breach of Facebook’s rules), which used the data to target, market to – and perhaps manipulate – individuals.

Was this a breach?

There’s been some debate over whether this incident can be fairly labelled a “breach”. Based on what we know, it certainly doesn’t appear that any personal information has been lost or disclosed by means of an accident or a security vulnerability, which is something many consider a necessary element of a “data breach”.

Facebook’s initial response was to hit back at claims it was a “data breach”, saying users willingly handed over their information, and the information of their friends. “Everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked” it allegedly said.

Facebook has since hired a digital forensics firm to audit Cambridge Analytica and has stated that if the data still exists, it would be a “grave violation of Facebook’s policies and an unacceptable violation of trust and the commitments these groups made.”

In more recent days, Mark Zuckerberg has made something of a concession, apologising for the  “major breach of trust”.   We love this line from the man that told us that privacy is dead.

GDPR – would it have helped?

We at elevenM are supporters of the GDPR, arguably the most extensive and far reaching privacy reforms of the last 25 years. The GDPR raises the benchmark for businesses and government and brings us closer to one global framework for privacy.   But would the GDPR have prevented this situation from occurring? Would the individuals whose data has been caught up by Cambridge Analytica be in a better position if the GDPR applied?

Let’s imagine that GDPR is in force and it applies to the acts of all the parties in this case, and that Facebook still allowed apps to access information about friends of users (which it no longer does). Here is the lowdown:

  1. Facebook would have to inform its users in “clear and plain” language that their personal information (aka personal data under GDPR) could (among other things) be shared with third party apps used by their friends.
  2. Because the personal data may have been used to reveal political opinions, users would likely also need to provide consent. The notification and consent would have to be written in “clear and plain” language, and consent would have to be “freely given” via a “clear affirmative act” – implied consent or pre-ticked boxes would not be acceptable.
  3. The same requirements relating to notification and consent would apply to GSR and Cambridge Analytica when they collected and processed the data.
  4. Individuals would also have the right to withdraw their consent at any time, and to request that their personal data be erased (under the new “right to be forgotten”). If GSR or Cambridge Analytics were unable to find another lawful justification for collecting and processing the data (and it’s difficult to imagine what that justification could be), they would be required to comply with those requests.
  5. If Facebook, GSR or Cambridge Analytica were found to be in breach of the above requirements (although again, this is purely hypothetical because GDPR is not in force at the time of writing), they could each face fines up to 20 million EUR, or 4% of worldwide annual turnover (revenue), whichever is higher. Those figures represent the maximum penalty and would only be applied in the most extreme cases – but they make clear that GDPR is no toothless tiger.

So, there it is.  We think that GDPR would have made it far more likely that EU residents were made aware of what was happening with their personal data and would have given them effective control over it.

Some lessons

With so many recent data incidents resulting from outsourcing and supply chain, regulators around the world are focussing increasingly on supplier risk.  Just last week here in Australia, we saw the financial services regulator APRA’s new cyber security regulation littered with references to supplier risk.   The Cambridge Analytica situation is another reminder that we are only as strong as our weakest link.  The reputations of our businesses and the government departments for whom we work will often hinge on the control environments of third parties.  Therefore, organisations need to clearly assess third party risks and take commensurate steps to assure themselves that the risks and controls are reasonable and appropriate.

As for individuals – regardless of what regulatory action is taken in Australia and abroad, there are simple steps that we all can and should be taking.  This episode should prompt people to think again about the types of personal information they share online, and who they share it with. Reviewing your Facebook apps is a good start – you might be surprised by some of the apps you’ve granted access to, and how many of them you’d totally forgotten about (Candy Crush was so 2015).

What’s next

We expect this issue to receive more attention in the coming weeks and months.

Regulators around the world (including the Australian Privacy Commissioner, the UK Information Commissioner (ICO), the Canadian Privacy Commissioner and the EU Parliament) are looking into these issues now. Just over the weekend we saw images of ICO personnel allegedly raiding the premises of Cambridge Analytica, Law & Order style.

The Australian Competition and Consumer Commission (ACCC) also has been preparing to conduct a “Digital Platforms Inquiry” which, among other things, may consider “the extent to which consumers are aware of the amount of data they provide to digital platforms, the value of the data provided, and how that data is used…”

Meanwhile, we await the consumer backlash.  Consumers will likely expect increasingly higher standards from the organisations they share their data with and will seek out those organisations that are transparent and trustworthy, and which can demonstrate good governance over privacy and data protection practices.   Will you be one of them?


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

A Lesson in Data Privacy: You Can’t Cram for GDPR

Deadlines are a powerful motivator. While travelling the world over the past year, including here in Australia, I’ve been energized by the discussions that companies are having about data privacy as they prepare for the European Union’s General Data Protection Regulation (GDPR). But I’ve also been dismayed by the numerous companies who remain oblivious – wilfully or otherwise – to the implications GDPR has for their business operations.

The GDPR comes into force on 25 May, 2018 – that is, less than four months from now, yet many Australian companies are still confused as to whether GDPR applies to them.

In a nutshell, if your business has any interaction with the personal data of an EU resident, then GDPR will apply.

I also see companies struggling with what GDPR actually means and being lured by quick fix sales pitches for tools and technology that claim to make you compliant with GDPR.  Vendors, suppliers, and consultants who have never operated in the data privacy space have miraculously become GDPR “experts”, with beautiful brochures and marketing collateral promising that their technology alone will deliver compliance. But, buyer beware: don’t believe the hype.

The high-level concept is simple: GDPR requires that companies have a data privacy legal compliance framework in place. In practice, that will look different for every organisation. That’s why effective compliance will never come straight from a box. Complying with the GDPR requires having a privacy program that lays out your business’s foundation for meeting its obligations around an individual’s fundamental rights to privacy and to own and control their personal data. It incorporates what data your company collects, why and how you collect it, and what you do with it. It takes account of your specific people, processes and systems. Technology has its place, but you must ensure you have the right tools for the right problems.

If you are using outside assistance to help bring you into compliance, there are some key things to consider before you sign on.

Do your homework

When you hire a new employee, you don’t make your decision based strictly on how they sell themselves. You read their resume, interview them, and check their references, because hiring an employee is a long-term investment and a poor decision can have significant consequences. Complying with GDPR is also a long-term proposition that deserves the same level of attention. Just like you would with a prospective new hire, get to know your prospective advisors and their capabilities by digging deeper than glossy sales brochures and snappy product taglines.

If you’re engaging an IT supplier, consider what steps they are taking to ensure that they comply with GDPR. Ask about their privacy framework and the internal policies and processes they have to support it. Ask them specifically how they comply with Australian data protection laws and all other relevant data protection laws.

Choose a company that clearly understands the difference between privacy and security and that takes a holistic view that includes all the processes and tools you need to protect your company and your customers. If you ask a privacy related question and they give a security answer, it is a sure sign that they don’t understand privacy at its core. World class security does not ensure privacy compliance – building a fortress around data you are not legally allowed to have will not save you from the inquisitive eye of European data regulators. And it won’t help restore the trust of customers who feel intruded upon by your organisation.

Information management has become a global proposition, so you want to work with a service provider that has a global approach, not a national one. If you operate in the European Union or provide goods and services to EU residents, member states have laws that also require consideration. Depending on how your business is structured, you many need to comply with the laws of multiple jurisdictions in overlapping contexts.  Ask how the provider stays current with new developments in privacy legislation and regulations around the world. If they say that rules in other jurisdictions aren’t ‘relevant’, then keep looking.

Keep your eyes on the prize

As you work to bring your company into compliance, remember your goal. Tools and technology might be part of your solution, but successful compliance with GDPR won’t be measured by the amount of software or data storage that someone installs for you, or the location of your data centre, or the latest data mapping or classification tool you implement. Success will be measured by your ability to demonstrate that you understand what data you’re collecting and what you’re doing with it.

When your service provider is finished, you and your employees should have a solid grasp of several key elements. Firstly, you should know what information you’re collecting about employees and customers, and you should have a procedure to ensure that you have their consent where needed and a lawful right to process data where consent is not an option. You also should know what agreements you have in place with third party providers that collect, process or host information for you. This isn’t the time to pass the buck—you need to know how they protect data that they collect, because they’re doing it on your behalf, and your customers will hold you responsible for their actions.  You need to know what data you collect about your customers, why you require that information from them, and what you do with it. If you and your team can’t answer these questions, chances are high that you don’t have an adequate data privacy framework and that you’re not compliant. If that’s the case, it’s time to get cracking.

Don’t cram the night before the exam

If your company hasn’t started preparing for GDPR, don’t panic—just get to work.  Start by taking stock of what data you collect and why. If you need external support, don’t be lured by those promising a quick fix – these will only cost you money to give you the appearance of compliance, and the regulators won’t be fooled. Spend the extra time to hire someone that can help you develop a proper privacy framework that will serve you, your employees, and your customers in the long run.

Still have questions?

Read our articles on:


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.